Skip to content

Commit

Permalink
Network policies (#710)
Browse files Browse the repository at this point in the history 
* feat: add ingress network policies
  • Loading branch information
@j-zimnowoda
j-zimnowoda committed Jan 26, 2022
1 parent 8d12cdf commit 777dcec
Show file tree
Hide file tree
Showing 15 changed files with 23,777 additions and 23,408 deletions.
3 changes: 0 additions & 3 deletions adr/2021-11-17-copy-certs.md
View file

This file was deleted.

30 changes: 0 additions & 30 deletions charts/team-ns/network-policies.yaml
View file

This file was deleted.

95 changes: 95 additions & 0 deletions charts/team-ns/templates/networkpolicy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
{{- $v := .Values }}
{{- if not (eq $v.teamId "admin") }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-ingress-deny
spec:
podSelector: {}
policyTypes:
- Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-ingress-platform
spec:
# Match all Pods in this namespace
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: istio-system
- from:
- namespaceSelector:
matchLabels:
# FIXME: it seems that knative operator wipes out 'name' label,
# we can still rely on automatic k8s labeling but it has some prerequsites: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/#automatic-labelling
# name: knative-serving
kubernetes.io/metadata.name: knative-serving
- from:
- namespaceSelector:
matchLabels:
name: monitoring
podSelector:
matchLabels:
app: prometheus
# - from:
# - namespaceSelector:
# matchLabels:
# name: shared

{{- range $s := $v.services }}
{{- if not $s.isCore }}
{{- $ingressPrivateMode := dig "networkPolicy" "ingressPrivate" "mode" "denyAll" $s }}
{{- if eq $ingressPrivateMode "allowAll" }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ $s.name }}-ingress-from-all-teams
spec:
podSelector:
matchLabels:
app: {{ $s.name }}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
type: team
{{- else if eq $ingressPrivateMode "allowOnly" }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ $s.name }}-ingress-allow-only
spec:
podSelector:
matchLabels:
app: {{ $s.name }}
policyTypes:
- Ingress
{{- with $s.networkPolicy.ingressPrivate.allow }}
ingress:
- from:
{{- range . }}
- namespaceSelector:
matchLabels:
name: team-{{ .team }}
{{- if hasKey . "service" }}
podSelector:
matchLabels:
app: {{ .service }}
{{- end }} {{/* hasKey */}}
{{- end }} {{/* range . */}}
{{- end }} {{/* with ingressPrivate.allow */}}
{{- end }} {{/* if ingressPrivateMode */}}
{{- end }} {{/* not $s.isCore */}}
{{- end }} {{/* range services */}}
{{- end }} {{/* if $v.teamId */}}
1 change: 1 addition & 0 deletions core.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ k8s:
disableIstioInjection: true
- name: knative-serving
disablePolicyChecks: true
disableIstioInjection: true
- name: kubeapps
disableIstioInjection: true
disablePolicyChecks: true
Expand Down
125 changes: 125 additions & 0 deletions helmfile.tpl/helmfile-connectivity.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,125 @@
# This release file define workloads used to verify connectivity between workloads
#
# Usage:
# helmfile -f helmfile.tpl/helmfile-connectivity.yaml apply
#
# Observe status of client Pods with the following command:
# watch 'kubectl get pods -l module=connectivity,type=client -A --sort-by=metadata.name'
#
# The Pod status 'Running' means that client is still attempting to reach out target
# The Pod status 'NotReady' means that connection has succeded and container exited code of 0
# The Pod status 'Error' means that connection did not succeded thus network policy denies traffic
#
# Example output
# NAMESPACE NAME READY STATUS RESTARTS AGE
# team-a1 client-c1-team-a1-to-s1-team-a1 2/3 Error 0 3m25s
# team-a2 client-c1-team-a2-to-s1-team-a1 2/3 Error 0 3m25s
# team-a1 client-c2-team-a1-to-s2-team-a1 2/3 NotReady 0 3m24s
#
# From above:
# The pod client-c2-team-a1-to-s2-team-a1 was able to connect workload in team-a1 namespace and label app=s2
# The pod client-c1-team-a2-to-s1-team-a1 was NOT able able to connect with workload in team-a1 namespace and label app=s1


environments:
default:
values:
- teamConnectivity:
- server:
namespace: team-a1
labels:
app: s1
clients:
- namespace: team-a1
labels:
app: c1
- namespace: team-a2
labels:
app: c1
- server:
namespace: team-a1
labels:
app: s2
clients:
- namespace: team-a1
labels:
app: c2
- namespace: team-a2
labels:
app: c2
- server:
namespace: team-a1
labels:
app: s3
clients:
- namespace: team-a1
labels:
app: c3
- namespace: team-a2
labels:
app: c3
- namespace: team-a2
labels:
app: c3b
- server:
namespace: team-a1
labels:
app: s4
clients:
- namespace: team-a1
labels:
app: c4
- namespace: team-a2
labels:
app: c4
- server:
namespace: team-a1
labels:
app: s5
clients:
- namespace: team-a1
labels:
app: c5
- namespace: team-a2
labels:
app: c5
# - description: s10 does not any ingress except ingress from specific platform apps
# server:
# namespace: team-a1
# labels:
# app: s10
# clients:
# - namespace: istio-system
# labels:
# app: ingressgateway
# - namespace: istio-system
# labels:
# app: istiod
# - namespace: monitoring
# labels:
# app: prometheus
# - namespace: shared
# labels:
# app: any

# - description: s3 allows ingress from any pod from team-a2 namespace
# server:
# namespace: team-a1
# labels:
# app: s3
# clients:
# - namespace: team-a2
# labels:
# app: allowed1
# - namespace: team-a2
# labels:
# app: allowed2
# - namespace: team-a2
# labels:
# app: denied1
releases:
- name: inter-team-connectivity
installed: true
chart: ../charts/raw
values:
- ../values/connectivity/connectivity-raw.gotmpl

0 comments on commit 777dcec

Please sign in to comment.